FortiOS 8.0: AI Controls, Sovereign SASE, Post-Quantum
Published 17 Apr 2026
· By
Satyam Maurya
· Network Security
· 20 min read
On 10 March 2026, at Accelerate 2026 in Las Vegas, Fortinet announced FortiOS 8.0 — the latest release of the operating system that powers the Fortinet Security Fabric. The release pushes three concurrent enterprise problems into first-class platform features: secure AI adoption, data sovereignty in SASE, and post-quantum cryptographic agility. This is the deepest FortiOS refresh since the 7.0 series.
🚀 Launch
10 Mar 2026
Accelerate 2026, Las Vegas
🤖 Pillar 1
AI-Driven Security
Shadow AI · MCP · A2A · OCR DLP
🌐 Pillar 2
Flexible SASE
SASE Outpost · Sovereign SASE
🔐 Pillar 3
Quantum-Safe
ML-DSA · Hybrid KEX · PQ-TLS
🏢 Companion
FortiSOC
Unified cloud-delivered SecOps
Disclosure: Ogma Consulting is an authorised Fortinet partner. This article is a technical explainer based on Fortinet's own press release and product pages. Verify feature availability against the specific FortiOS 8.0 build, hardware SKU and regional release train with your Fortinet account team or Ogma before planning an upgrade.
What Fortinet Actually Announced
Fortinet's FortiOS 8.0 press release frames the release around three pillars. Founder, Chairman and CEO Ken Xie positioned it as the product of "more than 25 years of innovation at the intersection of networking and security," stressing that "as organisations embrace AI, cloud, and increasingly encrypted environments, a unified operating system is essential to reduce complexity, improve visibility, and ensure security can scale without slowing the business."
Pillar 1 · AI-Driven Security
Govern sanctioned and shadow AI
- FortiView for AI attack surface
- AI-aware application control
- MCP & agent-to-agent visibility
- DLP with OCR for images & scans
- Fabric-wide AI agents · FortiAI-Assist
Pillar 2 · Next-Gen SASE
Flex deployment, sovereign data
- SASE Outpost — customer-controlled POP
- Sovereign SASE — logs, control, POP
- Unified SD-WAN bundles
- Multipath IPsec tunnels
Pillar 3 · Quantum-Safe
Crypto-agility built in
- PQC certificates including ML-DSA
- Hybrid key exchange
- PQ-safe SSL deep inspection
- Quantum-safe agentless VPN
New capabilities span FortiGate, FortiSASE, FortiManager, the Fortinet Unified Agent and FortiGuard DLP — and Fortinet announced a companion product, FortiSOC, in a parallel press release on the same day, unifying FortiAnalyzer, FortiSIEM and FortiSOAR capabilities as a single cloud service.
🤖 Pillar 1 — AI-Driven Security
Controlling ChatGPT, Copilot, Claude, Perplexity and the dozens of embedded GenAI features inside SaaS apps has been a patchwork of app-IDs, CASB rules and DLP policies. FortiOS 8.0 makes GenAI a first-class category across FortiGate, FortiSASE and the Unified Agent.
FortiView for AI attack surface and shadow AI
A dedicated FortiView dashboard surfaces every AI application and service in use across the tenant, distinguishing sanctioned corporate-approved tools from unsanctioned employee usage of personal ChatGPT accounts, unlisted browser extensions and unauthorised agents.
Action-level control inside approved GenAI tools
The classical choice with GenAI was binary: allow or block. FortiOS 8.0 moves to action-level control within approved tools. You can let users run queries against a sanctioned GenAI while blocking the specific actions that leak data — uploads, pasting customer PII, sharing internal documents, exporting chat history.
Model Context Protocol & agent-to-agent visibility
Two of the fastest-growing traffic patterns in 2026 are Model Context Protocol (MCP) — the open protocol agents use to attach to tools and data — and agent-to-agent (A2A) traffic, where one AI agent calls another over the network. Both are largely invisible to legacy DPI. FortiOS 8.0 introduces native classifiers and telemetry for MCP and A2A flows.
DLP with optical character recognition
FortiGuard DLP can now perform optical character recognition on images, scans and screenshots. The classic workaround — "I'll just screenshot the Aadhaar / PAN / bank statement and paste it into ChatGPT" — stops working.
Fabric-based AI agents and FortiAI-Assist
FortiOS 8.0 embeds conversational AI agents across the Security Fabric — inside FortiGate, FortiManager and SD-WAN workflows. FortiAI-Assist for FortiGate guides admins through troubleshooting with step-by-step remediation rather than dumping a CLI.
💡 Why this matters for India CISOs
Under DPDPA 2023 and the CERT-In April 2022 directions, an organisation is accountable for every channel that leaks personal data — including pasting it into a GenAI. Shadow-AI discovery and OCR DLP together close the two biggest gaps in most Indian enterprises' current DPDPA posture.
🌐 Pillar 2 — Next-Generation SASE
FortiSASE has been maturing since 2022, but 8.0 adds two genuinely novel deployment models — both tuned for constraints Indian customers care about.
Bring the SASE POP on-premises
SASE Outpost extends SASE enforcement closer to users and applications by deploying a SASE POP in a customer-controlled location — on-premises, private data centre or colocation — while keeping centralised management in the Fortinet cloud.
Granular data-sovereignty layers
Sovereign SASE introduces a multilayer sovereignty model with granular control over where logs are retained, where the control plane resides, and where the POP physically sits.
SD-WAN
Unified SD-WAN bundles
Overlay and underlay connectivity consolidated under a single console. Reduces the pain of multi-ISP link management without third-party overlays.
IPsec
Multipath IPsec tunnels
A single IPsec session can now span multiple links for resiliency and performance. Meaningful for bank branches, retail, manufacturing plants and logistics hubs.
🔐 Pillar 3 — Quantum-Safe Security
"Harvest now, decrypt later" is no longer theoretical. Attackers already intercept encrypted traffic today, expecting a cryptographically relevant quantum computer to decrypt it in the 2030s. NIST finalised its first post-quantum standards in August 2024, and Indian regulators are starting to ask about crypto-agility in new tenders. FortiOS 8.0 answers this with three concrete capabilities.
Certificates
PQC certificates including ML-DSA
Critical management access paths — including agentless VPN connectivity — now support Post-Quantum Cryptography certificates, including ML-DSA, for quantum-resistant authentication.
Key Exchange
Hybrid key exchange in SSL DPI
FortiOS 8.0's SSL deep inspection now uses hybrid key exchange pairing a classical algorithm with a post-quantum one — visibility into encrypted traffic and quantum resilience, not a choice between the two.
FortiSASE
Quantum-safe SASE
The same hybrid and PQ-safe primitives extend to FortiSASE — protecting remote access tunnels, agentless VPN and management planes end-to-end.
💡 Crypto-agility is the real win
No enterprise needs to migrate every TLS session to post-quantum ciphers tomorrow. What they do need is the ability to flip the switch when regulators mandate it — without a forklift upgrade. FortiOS 8.0 makes that flip a configuration change rather than a multi-quarter project.
🏭 OT / ICS Enhancements
Fortinet's FortiOS product page calls out specific OT security enhancements in 8.0 — the first FortiOS release that treats OT as a first-class tenant rather than a bolt-on.
Encrypted OT
Virtual IP for OT servers
Virtual IP support for encrypted OT server communications — closing a long-standing gap in how FortiGates front ICS workloads.
Compliance
NERC CIP & IEC 62443
Alignment with NERC CIP (Critical Infrastructure Protection) and IEC 62443 for industrial automation, with enhanced IPsec connectivity for ICS environments.
🏢 Companion — FortiSOC
On the same day as FortiOS 8.0, Fortinet previewed FortiSOC — a cloud-delivered platform bringing together the core capabilities of FortiAnalyzer, FortiSIEM and FortiSOAR into a single integrated service.
What FortiSOC unifies
FortiSOC is a companion, not a prerequisite — you can run FortiOS 8.0 without it. But for organisations that have been stitching FortiAnalyzer, FortiSIEM and FortiSOAR together manually, the unified model is likely to be the cleaner operational path from 2026 onwards.
What's New in 8.0 — At a Glance
| Capability | Pillar | What Fortinet officially states |
|---|---|---|
| FortiView for AI attack surface & shadow AI | AI | Sanctioned vs unsanctioned AI tool visibility |
| AI-aware application control | AI | Approve GenAI tools, block risky data-exposure actions |
| Model Context Protocol (MCP) & A2A visibility | AI | Reveal hidden AI activity across apps, agents and tools |
| Enhanced DLP with OCR | AI | Sensitive data detection in images and scans |
| AI agents across the Security Fabric | AI | Guided, conversational firewall & SD-WAN workflows |
| FortiAI-Assist for FortiGate | AI | Firewall troubleshooting with step-by-step remediation |
| SASE Outpost | SASE | POP in customer-controlled locations, centralised cloud mgmt |
| Sovereign SASE | SASE | Multilayer sovereignty — log retention, control plane, POP |
| Unified SD-WAN bundles | SASE | Integrated overlay/underlay with centralised management |
| Multipath IPsec tunnels | SASE | Resiliency and performance across distributed environments |
| PQC certificates incl. ML-DSA | Quantum | Securing management access paths and agentless VPN |
| Enhanced SSL deep inspection | Quantum | Hybrid key exchange + post-quantum-safe cryptography |
| OT virtual IP & NERC CIP / IEC 62443 alignment | OT | Encrypted OT server communications + ICS IPsec enhancements |
Should You Upgrade to FortiOS 8.0?
FortiOS major releases follow a predictable maturity curve. Early 7.0, 7.2 and 7.4 builds all had rough edges and Fortinet eventually settled on a recommended "gold" patch several minor revisions in. Expect the same with 8.0. Our decision framework for Ogma customers:
Hold
Production HA pairs
Stay on the current Fortinet-recommended 7.4 or 7.6 gold build until 8.0 has at least one maintenance release and Fortinet publishes a recommendation for your hardware model family.
Test Now
Lab / POC clusters
Upgrade now to exercise FortiView for AI, AI-aware app control and SASE Outpost against real user traffic before you commit production licences.
Green-field
New deployments H2 2026
Plan for 8.0 as the baseline. Budget for the FortiSASE, FortiGuard DLP and Unified Agent entitlements that make the AI governance features actually work.
Prioritise
OT / ICS segments
OT-specific enhancements are reason enough to prioritise 8.0 on new OT firewall deployments, subject to vendor-compat testing (SCADA, DCS, historian).
Budget FY26-27
BFSI, healthcare, government
Sovereign SASE + PQ-safe SSL deep inspection are the strongest reasons to bring the upgrade into the FY26-27 budget cycle.
⚠️ Hardware compatibility check first
Not every FortiGate model will receive FortiOS 8.0. Older E-series appliances in particular may be frozen at 7.x. Before scheduling any upgrade, pull the per-model compatibility matrix from docs.fortinet.com and confirm your hardware is supported on the target 8.0 build.
What This Means for Indian Enterprises
Mapped to the compliance frameworks Indian customers actually get audited against, FortiOS 8.0 solves some very specific pain points:
Shadow AI + OCR DLP
Closes the two largest uncontrolled personal-data leakage vectors — employee GenAI usage and image-based data egress.
Sovereign SASE
Keeps SASE logs and control plane India-resident while still benefiting from cloud-managed policy and threat intelligence.
PQ-safe SSL DPI + hybrid KEX
Gives regulated intermediaries a path to crypto-agility without sacrificing encrypted-traffic visibility.
Unified SD-WAN + FortiSOC logs
Unified log ingestion, normalisation and retention support the 180-day ICT log retention requirement when configured to match.
OT enhancements
Virtual IP for encrypted OT and NERC CIP / IEC 62443 alignment matter for insurers on OT-adjacent claims systems and for utilities.
✅ Key Takeaways
- FortiOS 8.0 was announced on 10 March 2026 at Accelerate 2026 and is organised around three pillars: secure AI, flexible SASE and post-quantum cryptography.
- Headline AI capabilities — FortiView for AI attack surface, AI-aware application control, MCP and A2A visibility, OCR DLP and Fabric-wide AI agents — materially improve what a FortiGate can do against GenAI-driven data leakage.
- SASE Outpost and Sovereign SASE give regulated Indian customers a credible path to SASE adoption without breaking data-residency requirements.
- Post-quantum readiness is now a platform property — ML-DSA certificates, hybrid key exchange and PQ-safe SSL deep inspection — rather than a roadmap item.
- FortiSOC, announced in parallel, unifies FortiAnalyzer, FortiSIEM and FortiSOAR under a single cloud-delivered platform with agentic AI.
- Upgrade timing matters — wait for a maintenance release and a Fortinet-recommended build for your hardware model before moving production HA pairs. Lab now, production on the recommended 8.0.x gold train.
🔥 Authorised Fortinet Partner
Planning a FortiOS 8.0 migration?
Ogma Consulting runs NSE7-certified engineers across BFSI, manufacturing and government estates. We scope upgrade paths, validate hardware compatibility, design SASE Outpost and Sovereign SASE deployments, and run FortiAI / FortiSOC pilots. Talk to our Fortinet practice.
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
